Block ciphers sensitive to Gröbner Basis Attacks

Transcription

1 Block ciphers sensitive to Gröbner Basis Attacks Johannes Buchmann, Andrei Pychkine, Ralf-Philipp Weinmann Technische Universität Darmstadt Abstract. We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Gröbner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Gröbner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key recovery problem to a Gröbner basis conversion problem. By bounding the running time of a Gröbner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Gröbner basis attacks. Keywords: secret key cryptography, cryptanalysis, block ciphers, algebraic attacks, Gröbner bases 1 Introduction Since the publication of Courtois and Pieprzyk s XSL method [1] and Murphy and Robshaw s embedding of AES-128 [2], a considerable interest in algebraic attacks on block ciphers has been provoked. While linearization based attacks on stream ciphers have been shown to be very successful, the claimed attacks on Rijndael-128 and Serpent have thus far been highly controversial. Gröbner bases however are a proven tool for solving polynomial systems. Cid, Murphy and Robshaw [3] recently did a first step of investigating the viability of an algebraic attack using Gröbner bases on scaled-down versions of the AES. The goal of this paper is to show that non-trivial iterated block ciphers with a reasonable block and key length in our case 128 bits can be constructed that are resistant against linear and differential cryptanalysis but which can be broken by computing an appropriate Gröbner basis. To this end we present two families of ciphers, Flurry, a Feistel network and Curry, a SPN construction. For both we specify suitable parameters and give estimates on the complexity of attacks using linear and differential cryptanalysis. We explain how to obtain polynomial equations describing the key recovery problem and how Gröbner bases can be used to solve them. Experimental results are given for selected examples. Finally we show how the key recovery problem for a subset of these ciphers is related to the problem of Gröbner basis conversion. 1.1 Notation We define the notation that we will be used throughout the rest of this paper. All operations of the block ciphers described in this paper are carried out over a finite field F := GF (2 k ) with k {8, 16, 32, 64}. We fix θ to be a generating element of F over GF (2), i.e. F := GF (2)(θ). The internal state of our cipher consists of multiple elements of F. To refer to individual elements of the state after the execution of a complete round transformation we use the following conventions: For Feistel ciphers, the internal state is represented by a vector. We use variables x (e) i to denote elements of the internal state of the cipher after the eth application of the round function and variables k (e) i to denote elements of the expanded key used in round e. For SPN ciphers, the internal state is represented by a square matrix. We denote the internal state variables after the eth application of the round function by x (e) i,j and the expanded key variables by k(e) i,j.

2 We define the state of round 0 to be the initial state and call the variables of the initial state plaintext variables. Correspondingly the variables referring to the state after the execution of the last round are called ciphertext variables. The set of state variables of a cipher is denoted by X, the set of expanded key variables by K. All polynomials considered are then elements of the polynomial ring R = F [X K]. A power product of variables of (X K) shall be called a term, whilst the product of a term and a coefficient c F shall be called a monomial. 2 Description of the cipher families In this section we give blueprints for Feistel and SPN ciphers that allow for a simple algebraic representations. For these we present parameters sets offering high resistance against differential and linear cryptanalysis and describe how to construct a system of polynomial equations. 2.1 The Feistel case: Flurry We construct the family Flurry(k, m, r, f, D) of Feistel ciphers. We explain the parameters used in this family: m N: the plaintext space, the ciphertext space and the cipher key space are F 2m. r N: the number of rounds f : F F : a non-linear mapping that gives the S-Box of the round function D = (d i,j ) F m m : this matrix describes the linear diffusion mapping of the round function. We set R = (r 1,..., r m ) F m, L = (l 1,..., l m ) F m and K = (k 1,..., k m ) F m. The round function ρ : F m F m F m F m F m of a Flurry cipher is then defined as: ρ(l, R, K) = (R, G(R + K) + L) with G : F m F m F m being the parallel application of m S-Boxes followed by a linear transform: f(r 1 + k 1 ) f(r 2 + k 2 ) G(r 1,..., r m, k 1,..., k m ) = D.. f(r m + k m ) A plaintext (L 0, R 0 ) is encrypted into a ciphertext (L r, R r ) by iterating the round function ρ over the number of rounds r: (L i, R i ) = ρ(l i 1, R i 1, K i 1 ) i = 1, 2,..., r 1 (L r, R r ) = ρ(l r 1, R r 1, K r 1 ) + (K r, K r+1 ) After the last round transformation, an additional key addition is performed on both halves of the state. Analogously, using the inverse function ρ 1 ρ 1 (L, R, K) = (G(L + K) + R, L) we can decrypt a ciphertext with the following sequence of steps: (L r 1, R r 1 ) = ρ 1 (L r + K r, R r + K r+1, K r 1 ) (L i 1, R i 1 ) = ρ 1 (L i, R i, K i 1 ) i = r 1, r 2,..., 1 The number of F -components of a cipher key, plaintext or ciphertext is denoted by t = 2m. 2

3 The key schedule The key schedule is affine linear over GF (2 k ). We write the cipher key as a tuple of vectors (K 0, K 1 ) F m F m. Let the round keys for the first two rounds be K 0, K 1 and recursively compute subsequent round keys for 2 i r + 1 as follows: K i = D K T i 1 + K i 2 + v i where D is the same matrix used in the round function of the cipher and the v i are round constants: v i = ((θ + 1) i, (θ + 1) i+1,..., (θ + 1) i+m 1 ) 2.2 The SPN case: Curry In this section we construct a family Curry(k, m, r, f, D) of ciphers similar to Square [4]. We explain the parameters used in this family: m N: the plaintext space, the ciphertext space and the cipher key space are F m m. r N: the number of rounds f : F F : a bijective non-linear mapping that gives the S-Box of the round function D = (d i,j ) F m m : an invertible matrix used for diffusion The round function ρ : F m m F m m F m m of a Curry cipher is defined as: ρ(s, K) = D G(S + K) T with G : F m m F m m being the parallel application of m 2 S-Boxes: G((s i,j )) = (f(s i,j )) A plaintext S 0 is encrypted into a ciphertext S r by iterating the round function ρ exactly r times followed by an additional key addition after the last round: Analogously, using the inverse function ρ 1 S i = ρ(s i 1, K i 1 ) i = 1, 2,..., r 1 S r = ρ(s r 1, K r 1 ) + K r ρ 1 (S, K) = G 1 ((D 1 S) T ) + K we can decrypt a ciphertext with the following sequence of steps: S r 1 = ρ 1 (S r + K r, K r 1 ) S i 1 = ρ 1 (S i, K i ) i = r 1, r 2,..., 1 Just as for Flurry, let the number of F -components of a key, plaintext or ciphertext be denoted by t, this time t = m 2. The key schedule For Curry the first round key is equivalent to the cipher key K 0 F m m. Just as for Flurry the key schedule is affine linear over GF (2 k ). Subsequent round keys K i, i 1 are recursively computed as follows: K i = D K i 1 + M i where D is the same matrix used in the round function and M i = ((a j,l )) with a j,l = θ i+(j 1)m+l. The matrices M i are round constants. 3

4 2.3 Selected parameters We will now specify suitable parameters for the S-Box function and the linear transformation. These will be used to more thoroughly investigate instances of our cipher constructions throughout this paper. The number of rounds shall be left unspecified for now. The S-Box functions The only non-linear components of Flurry and Curry ciphers are the S-Boxes. In order to obtain a cipher with good resistance against differential and linear cryptanalysis even for a low number of rounds the S-Boxes must be chosen very carefully. Two important characteristics of a S-Box are its differential uniformity and its nonlinearity, i.e. the distance of the S-Box function to an affine function. These are defined as follows: Definition 1. Let f : F F be a mapping and δ = max #{x F a,b F a 0 : f(x + a) = f(x) + b}. Then f is called differentially δ-uniform. In the following definition we use the map k 1 F GF (2) k (, a = ai θ i) (a 0,..., a k 1 ) to identify F with GF (2) k. For a = (a 0,..., a k 1 ), b = (b 0,..., b k 1 ) we set i=0 k 1 a, b = a i b i Definition 2. The nonlinearity of a function f : F F is defined as i=0 N (f) = min #{x F x, a f(x), b } a,b F b 0 For monomial functions as well as the multiplicative inverse over finite fields of characteristic two the k-uniformity and the nonlinearity have been well studied in the literature [5,6,7]. We want to keep the degree of our S-Box functions low in order to make Gröbner basis attacks feasible. Table 1 shows the S-Box functions that we have picked. Table 1. S-Box mappings function j mapping bijective over GF (2 k ) δ-uniformity N (f) x 1 iff x 0 f 1 x yes 4 2 k 1 2 k 2 0 iff x = 0 f 3 x x 3 no 2 2 k 1 2 k 2 f 5 x x 5 no 4 2 k 1 2 k 2 +1 f 7 x x 7 yes 6 2 k k 2 We call f 3, f 5 and f 7 monomial S-Boxes and f 1 the inversion S-box. Lemma f 3 is a 2-uniform mapping 2. f 1 and f 5 are 4-uniform mappings. 4

5 3. f 7 has δ-uniformity of 6 or less. For k = 4, f 7 is 4-uniform. Proof. Obviously for all a, b F with a 0 the equation x 7 + (x + a) 7 = b has at most 6 roots. For claims 1 and 2, see [5]. Lemma The nonlinearity of f 1 is 2 k 2 2 k For a polynomial function f : F F of degree d the following holds true: N (f) 2 n 1 d n 2 Proof. For claim 1, see [7], for claim 2 see [8]. The linear transformations We use matrices of Maximum Distance Separable codes MDS matrices for short for the matrix D in the linear layer. We chose these types of linear transformations since they have optimal diffusion properties. This strategy is widely used in modern block cipher design; all ciphers following the wide-trail design use diffusion optimal matrices. The matrix D 4 below actually is matrix used in the MixColumns step of Rijndael, D 2 is equivalent to a Pseudo-Hadamard Transform. D 2 = ( ) θ D 4 = θ θ θ θ θ θ + 1 θ θ Rijmen and Daemen introduced the notion of branch number of a linear transformation to measure the quality of the diffusion provided. For a F -vector X := (x 1,..., x m ) we define w(x) to be the hamming weight of X, i.e. the count of all non-zero coordinates of this vector. The following definition is according to [9]: Definition 3. Let M F n n be a matrix describing a be a linear map. The differential branch number B d (M) of M is then defined as B d (M) = min The linear branch number B l (M) is defined as X F m X 0 (w(x) + w(mx)) ( B l (M) = min w(x) + w(m T X) ) X F m X 0 For symmetric matrices such as D 2, the linear and the differential branch number clearly coincide. For D 4 the linear and differential branch number coincide for a different reason [9]. Thus in our case it suffices to speak of the branch number B(M) of a matrix M. In [9] it is shown that the branch number of MDS matrices is maximal, i.e. B(M) = n + 1 with n being the size of the matrix M. For block ciphers with m = 1 we use the identity matrix of size one, I 1, trivially resulting in a branch number of B(I 1 ) = 2. Note that the diffusion matrices are also used in the key expansion process. 2.4 Polynomial representation of the ciphers In the following we will detail how to obtain a system of polynomial equations that describes the transformation of a plaintext into a ciphertext block round by round using intermediate state variables. Please note that our description is slightly simplified. For the sake of legibility we have omitted the round key addition after the final round; for our experiments the final key addition has of course been retained. 5

6 Flurry For Feistel ciphers the left half of the state in round e is identical to the right half of the state in round e 1, giving rise to the following tr 2 trivial linear equations: x (e) j + x (e 1) j+m = 0 Each monomial S-Box of the cipher induces a polynomial equation of degree deg(f). Thus we get a total of tr 2 non-linear equations of form: x (e) m+j + x(e 1) j + m d j,l f l=1 ( x (e 1) m+l ) + k (e 1) l = 0 with 1 e ( r, 1 ) j m. When using the inversion S-Box the polynomial system is correct only with probability 2 k 1 mr. 2 The equations in this case are of a different form: k ( ) x (e 1) j + x (e) m+j m i=1 ( x (e 1) m+i ) + k (e 1) i + m m d j,l l=1 i=1 i l ( x (e 1) m+i The linear equations for the key schedule of Flurry can be written as: k (e) j + k (e 2) j + (θ + 1) et+j + m l=1 d j,l k (e 1) l = 0 ) + k (e 1) i = 0 with 2 e r, 1 j m. Curry No trivial linear equations hold between intermediate state variables. Denote by x (e) (i,j) the variable in row i, column j of the state in round e, analogously for k(e) all rounds e > 0 the following equations hold with 1 i, j m: x (e) m i,j + d i,l f l=1 ( x (e 1) j,l Again for f 1 the non-linear equations look different: x (e) i,j m u=1 ( x (e 1) j,u ) + k (e 1) j,u + m m d i,l l=1 ) + k (e 1) j,l = 0 u=1 u l ( x (e 1) j,u ) + k (e 1) j,u = 0 (i,j). Then for Using the above equations, the polynomial system also does not hold with probability one but with with ( ) probability 2 k 1 m2 r 2. k The linear equations for the key schedule can be expressed as follows: with 1 e r, 1 i, j m. k (e) i,j + (θ)e+(i 1)m+j + m l=1 d i,l k (e 1) l,j = 0 Additionally, for each variable v (X K) the relation v 2k + v = 0 holds. These relations are called field equations; they will not be included in our polynomial system however. 6

7 3 Resistance against classical attacks In this section we determine the strength of our cipher constructions against differential and linear cryptanalysis. Differential cryptanalysis is a chosen-ciphertext attack due to Biham and Shamir and was the first successful attack on the DES [10]. This type of attack makes use of statistical weaknesses of the first order derivative of the cipher. Selecting carefully chosen plaintext pairs with specific differences, the cryptanalyst makes assumption about their propagation through the cipher and predicts output differences in ciphertext pairs. If these predictions are correct with sufficiently high probability they allow an attacker to determine round key bits. Linear cryptanalysis is a known plaintext attack that was developed by Matsui [11] to attack the DES. For this attack to succeed, the cryptanalyst has to construct a key-independent linear approximation for individual output bits of the cipher. By counting the number of time this linear approximation agrees with the actual output of the cipher she can establish which value for the key bit is more likely. The notion of practical security of block ciphers against differential and linear cryptanalysis was first introduced by Knudsen [12]. The exact definition of this notion is postponed to the end of Section 3.2. We will derive the number of rounds that will make our cipher practically secure against differential and linear cryptanalysis. Note that our objective was not to evaluate the strength of our ciphers against all known attacks. Our ciphers may very well be vulnerable against one or several advanced attacks even if they resist standard linear and differential cryptanalysis. Indeed, as an example we argue that the choices we have made for the S-Boxes are very weak against interpolation attacks. 3.1 Estimating the resistance against differential and linear cryptanalysis A fundamental parameter that influences the complexity of differential and linear attacks is the minimum number of active S-Boxes N over consecutive rounds of the cipher. Kanda [13] gives useful results on both SPN ciphers and Feistel ciphers with a SP round function; from these we derive the following lemma: Lemma 3. The minimum number of active S-boxes in 4, 6, 8 consecutive rounds of a Feistel cipher with SP round function is lower bounded by B(D), B(D) + 2 and 2B(D) + 1 respectively. For an SPN cipher the minimum number of active S-Boxes for 2r consecutive rounds is lower bounded by rb(d). In the following X denotes a uniformly distributed random variable in GF (2) n and ρ : GF (2) n GF (2) n a function for which we wish to compute the linear and differential probability. Definition 4. The linear probability for a pair (a, b) GF (2) n GF (2) n with a 0 is defined as LP(a, b) = (2 Pr X { a, X = b, ρ(x) } 1) 2 In the above definition, a is called input mask and b is called output mask of a round. A vector of masks A = (a 1,..., a r+1 ) with a i 0 for all 1 i r is called linear characteristic of a cipher. Definition 5. The differential probability for a pair ( x, y) GF (2) n GF (2) n with x 0 is defined as DP( x, y) = Pr X {ρ(x) + ρ(x + x) = y} The value x is called input difference of a round, while y is called output difference. A vector of differences A = (a 1,..., a r+1 ) with a i 0 for all 1 i r is called differential characteristic of a cipher. Definition 6. Let Ω L be the set of all linear characteristics and Ω D the set of all differential characteristics of a cipher C. The maximum linear characteristic probability (MLCP) of C is MLCP(C) = max A Ω L i=1 7 r LP(a i, a i+1 )

8 Analogously the maximum differential characteristic probability (MDCP) of C is MDCP(C) = max A Ω D r DP(a i, a i+1 ) 3.2 Differential and linear cryptanalysis of Flurry and Curry In this section we show how to compute upper bounds of MLCP and the MDCP of ciphers of the Flurry and Curry family. From these bounds we deduce the number of rounds required to make an instance practically secure against differential and linear cryptanalysis. The maximum differential probability of a function f : F F can be calculated from δ as p(f) = where δ is according to Definition 1. The maximum linear probability of a mapping f : F F can be computed as ( ) 2N (f) 2 q(f) = 1 #F where N (f) is defined as in Section 2.3. For both SPN ciphers and Feistel ciphers with an SP round function the MDCP is bounded by p(f) N and the MLCP is bounded by q(f) N [13]. According to Knudsen [12], a block cipher with dependent round keys is practically secure against differential and linear cryptanalysis if the MLCP and the MDCP is too low for an attack to work under the assumption of independent round keys. Note however that for both r-round Feistel and r-round SPN ciphers, we need to consider the MLCP and MDCP of r 2 rounds because of attacks that guess bits of the first and the last round key, so called 2R attacks. i=1 δ #F 3.3 Interpolation attacks Jakobsen and Knudsen presented interpolation attacks in [14] as a counterpoint to the growing trend of using algebraic S-Boxes such as those proposed by Nyberg. In fact, interpolation attacks can be seen as the first algebraic attacks on block ciphers. The underlying intuition of this attack is that the relationship between plaintext and ciphertext can always be expressed as a tuple of polynomial expressions. If the degree of these polynomials is low enough, the coefficients of the polynomials can be interpolated from a number of plaintext/ciphertext pairs. A key dependent equivalent of the encryption or the decryption algorithm can thus be found. Moreover, should the size of a round key be smaller than the size of the cipher key, the cipher key can be recovered by applying the attack to all but the last round and verifying the guesses for the last round key using the resulting tuple of polynomials in effect peeling off the final round. This obviously works for Feistel ciphers. Flurry and Curry quite naturally are susceptible to interpolation attacks their clean structure and the monomial S-boxes make them textbook examples. As a matter of fact, the cipher PURE presented in the original article is identical to the 64-bit cipher Flurry(32, 1, I 1, f 3, r) sans key scheduling. Jakobsen and Knudsen give upper bounds on the number of required pairs for known-plaintext interpolation attacks for selected examples. This number increases exponentially with the degree of the polynomial function describing the S-Box, the number of rounds and the number of elements in the internal state, while for the attacks we present in the next section this remains a fairly constant quantity. 4 Attacks using Gröbner Bases Gröbner bases are standard bases of polynomial ideals that can be used for solving systems of polynomial equations. What Gaussian elimination does for systems of linear equations, Gröbner basis algorithms try to emulate for polynomial systems. Unfortunately the computational complexity of Gröbner basis algorithms for nonlinear systems is no longer polynomial. In this paper we restrict ourselves to known-plaintext Gröbner 8

9 Basis attacks that recover a secret key of a block cipher from a small number of plaintext/ciphertext pairs faster than an exhaustive search of the key space by computing Gröbner Bases. We will briefly introduce the concepts necessary to explain our results. For a more thorough introduction to Gröbner bases we refer the interested reader to [15] and [16]. In the following we will use the conventions of [15]. Definition 7 (Term order). A term order < is a linear order on the set of terms such that 1. 1 t for all terms t 2. for all terms s, t 1, t 2 whenever t 1 < t 2 then st 1 < st 2 If a term order has been fixed, we define HT(f) to be the greatest term occuring in the polynomial f R according to this order; this term is called the head term. Correspondingly HM(f) is the head monomial, i.e. the head term of f multiplied with the matching coefficient. We will now introduce two useful and widely used term orders. To accomplish this we first need to define some technicalities: For a term t = v e 1 1 ve 2 2 ven n we define the exponent vector of t to be ɛ(t) = (e 1, e 2,..., e n ) N n 0. The total degree of the term t then is deg(t) = n i=1 e i. Example 1 (Lexicographic term order). For terms s, t we define s < lex t iff there exists an i with 1 i n such that the first i 1 components of ɛ(s) and ɛ(t) are equal but the ith component of ɛ(s) is smaller than the ith component of ɛ(t). Example 2 (Degree reverse lexicographic term order). For terms s, t we define s < DRL t iff either deg(s) < deg(t) or if deg(s) = deg(t) and s < lex t. Definition 8 (Syzygy polynomial). The syzygy polynomial of two polynomials f, g is defined as spol(f, g) = lcm(hm(f), HM(g)) f HM(f) lcm(hm(f), HM(g)) g HM(g) For a set of polynomials G R we can define the reduction of a polynomial f R to a remainder r which we will denote by f G r. The result of this operation may not uniquely defined if G is not a Gröbner basis. In the following we will only be interested in polynomial divisions that leave no remainder. Definition 9 (Reduction to zero). A polynomial f R reduces to zero modulo a set G = {g 1,..., g n } R, if there exists a vector of polynomials (m 1,..., m n ) such that f n i=1 m ig i = 0 with HT(m i g i ) HT(f) for all 1 i n. Definition 10 (Gröbner basis). Let I be an ideal of R. A finite set of polynomials G I is a Gröbner basis of I if f G 0 holds for every f I. Let P be a set of multivariate polynomial equations p i = 0. For the ideal I generated by the set P = {p i } computing the Gröbner basis relative to an appropriate term order, e.g the lexicographical term order enables us to solve the system P Computing a Gröbner basis relative to a total-degree order however usually is faster than computing a lexicographical Gröbner basis of the same ideal. This was the reason for the development of algorithms that change the term order of a Gröbner basis. Several algorithms for this task are known; the two most prominent are the FGLM algorithm [17] and the Gröbner Walk [18]. While the FGLM algorithm as originally described only works for zero-dimensional ideals, i.e. when the number of solutions of P in the closure of F is finite, the Gröbner Walk does not have this restriction. 9

10 4.1 Key recovery using Gröbner Bases In general, estimating the time and space complexity of Gröbner basis algorithms is a hard problem. For the systems of equations coming from the cryptosystem HFE, Faugere and Joux were able to explain the good performance of the F5 algorithm [19] solving these systems [20]. For polynomial systems induced by block ciphers, no theoretical works estimating the performance of Gröbner basis algorithms are currently known. We therefore carried out experiments to study the resistance of our ciphers against Gröbner Basis attacks. Results of these experiments are presented and analysed in section 4.2. The Gröbner basis attack we have successfully used on instances of Flurry and Curry to determine the secret key from a small number of plaintext/ciphertext pairs entailed the following steps: 1. Set up a polynomial system P = {p i = 0} for the cipher in question with p i R as described in Section 2.4. The system P consists of both cipher and key schedule equations. 2. Request a plaintext/ciphertext pair ((P 1,... P t ), (C 1,..., C t )). This gives rise to the following additional system of linear equations G = {g i = 0}: x (0) 1 + P 1 = 0. x (0) t + P t = 0 x (r) 1 + C 1 = 0. x (r) t + C t = 0 Let I be the ideal generated by the set of polynomials L = ( i {p i}) ( i {g i}). We call this ideal the key recovery ideal. 3. Compute a degree-reverse lexicographic Gröbner basis G DRL of I. For ciphers using a multiplicative inverse as S-Box function, the system may be inconsistent, resulting in G DRL = If G DRL = 1 go to Step 2, otherwise proceed. 5. Use a Gröbner basis conversion algorithm to obtain a lexicographical Gröbner basis G lex from G DRL. The variable ordering should be such that the key variables of the first round are the least elements. 6. Compute the variety Z of I using the Gröbner basis G lex. 7. Request another plaintext/ciphertext pair (P, C ). 8. Try all elements k Z as key candidates to encrypt P. If k does not encrypt P to C, remove k from Z, otherwise retain. 9. If Z still contains more than one element, go to step Terminate Considerable complexity is hidden in step 6. To compute the variety of an ideal using a lexicographical Gröbner basis, we need to successively eliminate variables by computing zeroes of univariate polynomials and back-substituting results. Of course the complexity of this depends on the number of solutions of the polynomial system (zeroes of the ideal) and the complexity of the algorithm for finding roots of univariate polynomials. The standard algorithm for finding roots of univariate polynomials is the Berlekamp algorithm which has a run-time complexity of O(d 3 ) with d being the degree of the polynomial; this degree of course is bounded by 2 k 1. The best algorithm for factoring polynomials is due to Kaltofen and Shoup [21] and has a complexity of O(d k) field operations. The number zeroes is equivalent to the number of distinct keys encrypting the plaintext to a ciphertext. In general we can expect this number to be small. 4.2 Experimental results We have performed experiments to analyze the resistance of Flurry and Curry using the computer algebra system Magma [22], version , on an AMD Athlon Linux PC equipped with 1024 Megabytes of RAM. Magma implements Faugére s F4 algorithm [23] and is widely considered the best publicly available 10

11 tool for computing Gröbner bases. We have chosen k and m such that the ciphers evaluated are 128-bit block ciphers. Table 2 lists a number of instantiations of Flurry and Curry ciphers for which we were able to successfully recover the secret key. We see that ciphers with inversion-based S-boxes are easier to break than ciphers which use a monomial S-box, even if the monomial is of very low degree. Furthermore we were unable to determine an a priori indicator for selecting the most efficient Gröbner basis conversion algorithm in some cases FGLM was faster, in other cases the Gröbner walk; the same holds for the memory consumption. We would like to point out that the 6, 8 and 10 round Flurry ciphers listed below are resistant to linear and differential cryptanalysis. Table 2. Experimental results achieved with Magma cipher conversion CPU time memory used Flurry(64, 1, I 1, f 1, 4) Walk sec 3.48 MBytes Flurry(64, 1, I 1, f 1, 4) FGLM sec 3.48 MBytes Flurry(64, 1, I 1, f 3, 4) Walk 0.04 sec 3.48 MBytes Flurry(64, 1, I 1, f 3, 4) FGLM sec 3.58 MBytes Flurry(64, 1, I 1, f 5, 4) Walk 1.28 sec 3.97 MBytes Flurry(64, 1, I 1, f 5, 4) FGLM 2.3 sec 6.36 MBytes Flurry(64, 1, I 1, f 7, 4) Walk sec 6.22 MBytes Flurry(64, 1, I 1, f 7, 4) FGLM sec 33.4 MBytes Flurry(64, 1, I 1, f 1, 6) Walk 0.15 sec 3.58 MBytes Flurry(64, 1, I 1, f 1, 6) FGLM sec 3.58 MBytes Flurry(64, 1, I 1, f 3, 6) Walk sec MBytes Flurry(64, 1, I 1, f 3, 6) FGLM sec MBytes Flurry(64, 1, I 1, f 1, 8) Walk 3.43 sec 4.51 MBytes Flurry(64, 1, I 1, f 1, 8) FGLM 1.46 sec 4.46 MBytes Flurry(64, 1, I 1, f 1, 10) Walk sec MBytes Flurry(64, 1, I 1, f 1, 10) FGLM sec MBytes Flurry(64, 1, I 1, f 1, 12) Walk sec MBytes Flurry(64, 1, I 1, f 1, 12) FGLM 2064 sec MBytes Flurry(32, 2, D 2, f 1, 4) Walk sec MBytes Flurry(32, 2, D 2, f 1, 4) FGLM sec MBytes Flurry(16, 4, D 4, f 1, 2) Walk 264 sec MBytes Flurry(16, 4, D 4, f 1, 2) FGLM sec MBytes Curry(32, 2, D 2, f 1, 3) Walk sec MBytes Curry(32, 2, D 2, f 1, 3) FGLM sec MBytes As mentioned in Section 2.4 we did not add the field equations to our polynomial systems. In our case, these equations are of extremely high degree. Generally it only makes sense to add these additional relations if the ground field is very small. 4.3 Gröbner bases without polynomial reductions In some cases it is possible to directly determine whether a set of polynomials forms a Gröbner basis without computing normal forms. In the following let be G R be a finite set of polynomials with 0 G. Proposition 1 (First Buchberger criterion). Suppose that we have f, g G such that lcm(ht(f), HT(g)) = HT(f) HT (g) i.e the head terms of f and g are pairwise prime. Then spol(f, g) G 0. Proposition 1 is the first Buchberger criterion. Together with the following theorem given in [16], we can decide whether a sequence of polynomials is a Gröbner basis from looking at the head terms alone. 11

12 Theorem 1. The set G is a Gröbner basis iff spol(f, g) G 0 for all f, g G with f g. For the case of polynomial S-boxes, this enables us to compute degree-reverse lexographic Gröbner bases of key-recovery ideals of Flurry and Curry without performing a single polynomial reduction. Observe that for a total-degree order the head terms of all polynomials of I are univariate. For each polynomial of round e, either a power of a state variable of the preceeding round or a power of a key variable of the current round occur as head term. However some head terms occur more than once. By using an appropriate degree reverse lexicographical term order we can force the set of head terms of each round to be disjunct from the set of head terms of all other rounds: Curry To make the variable ordering more legible, we reduce the number of indexing of our variables: we identify x (e) i,j with x et+im+j and k (e) i,j with k et+im+j. We then fix the following variable order: x 0 <... < x }{{ t 1 < x } tr <... < x t(r+1) 1 }{{} plaintext variables ciphertext variables Flurry Again we decrease the number of indexes: we identify x (e) i the following variable order: < k 0 <... < k t(r+1) 1 < x t <... < x }{{}}{{ tr 1 } key variables internal state variables with x et+i and k (e) i with k et+i. We then fix x 0 <... < x }{{ t 1 < x } tr <... < x (t+1)r 1 < x t(r 1)+m <... < x tr 1 }{{}}{{} plaintext variables ciphertext variables state variables of the right Feistel k m(r 1) <... < k mr 1 }{{} key variables of round r half of the second last round < k 0 <... < k m 1 }{{} key variables of the first round < k m <... < k m(r 1) 1 < k mr <... < k m(r+2) 1 < }{{} x t <... < x t(r 1)+m 1 }{{} all other key variables state variables of all other rounds To make the following linear transformation easier to describe we use a vectorial representation for Flurry and a matrix representation for Curry. The entries in the vector and matrix of each round are the left-hand side polynomials of the nonlinear cipher equations. We can multiply the vectors respectively matrices of all rounds by D 1 to obtain pairwise prime head terms within each and across rounds. For Curry this is sufficient. For Flurry we also need to adjust the key schedule equations. Observe that the nonlinear polynomials of the first and the last round have powers of key variables as head terms. These key variables are of the first and the last round respectively. For the first round this poses no problem. However for the last round the key schedule polynomials that produce the round last key have the same head terms. To remedy this situation we need to rewrite the key schedule equations. We express all round keys but the last round key as a linear combination of the first two round keys and can then write the second round key as a linear combination of the first and the last round key. This results in all head terms being pairwise prime. In order for this to work for Flurry, the order of the matrix used in the key schedule needs to be greater than the number of rounds. We have shown how to make the head terms of all polynomials pairwise prime. Hence by Theorem 1, we have obtained a Gröbner basis. The trick however does not work Flurry and Curry instances with inversion S-Boxes, as the head terms in these cases are never univariate. < 4.4 Complexity of Gröbner basis conversions using FGLM For the FGLM algorithm, we will show how to estimate the complexity of a Gröbner basis conversion. The running time mainly depends on two parameters, the vector space dimension of the ideal I generated by the Gröbner basis G R and the number of variables of the polynomial ring R. 12

13 Definition 11. Let R := F [X]. For an ideal I R the dimension of the F -vector space of the ideal R/I is denoted by dim(r/i). The following theorem shows how this invariant of an ideal can be computed in general. Theorem 2. Let G be a Gröbner basis of the ideal I. Then dim(r/i) = # {t T (R) : HT (f) t for all f G} Corollary 1. Let G = {g 1,..., g n } be a Gröbner basis for the ideal I F [x 1,..., x n ] with head terms x d 1 1,..., xdn n. Then dim(r/i) = d 1 d n. Corollary 2. Let I be an ideal of an instantiation of either a Flurry or a Curry cipher as described in Section 2.4 and f a polynomial function. Then the following holds: 1. dim(r/i) = deg(f) mr for Flurry k,m,f,r. 2. dim(r/i) = deg(f) m2r for Curry k,m,f,r. We restate Theorem 5.1 of [17]. Theorem 3. Let K be a finite field and R = K[x 1,..., x n ]. Furthermore G 1 R is the Gröebner basis relative to a term order < 1 of an ideal I, and D = dim(r/i). We can then convert G 1 into a Gröbner basis G 2 relative to a term order < 2 in O(nD 3 ) field operations. In general we can assume the constant factor for the above estimate to be small. For the space complexity of the algorithm, no bound is given in the original paper. We note that the dominant memory requirement of the FGLM algorithm is a D nd matrix over F. Thus the memory usage of the algorithm is upper bounded by (nd 2 k)/8 bytes. This allows us to estimate the maximum resistance of Flurry and Curry ciphers with polynomial S-Boxes against Gröbner basis attacks. Note that for the Curry cipher we need to use a bijective S-Box in the round function; the lowest degree S-Box function in our paper that is bijective is f 7. Table 3. Upper bounds on the complexity of breaking 128-bit Flurry and Curry ciphers with FGLM cipher n dim(r/i) # of operations memory required (bytes) Flurry 32,2,4,f3,D O( ) Flurry 32,2,4,f5,D O( ) Flurry 32,2,4,f7,D O( ) Flurry 32,2,6,f3,D O( ) Flurry 32,2,6,f5,D O( ) Flurry 32,2,6,f7,D O( ) Flurry 32,2,8,f3,D O( ) Flurry 32,2,8,f5,D O( ) Flurry 32,2,8,f7,D O( ) Flurry 16,4,4,f3,D O( ) Flurry 16,4,4,f5,D O( ) Flurry 16,4,4,f7,D O( ) Curry 32,2,3,f7,D O( ) For the Gröbner Walk we are unable to theoretically gauge the complexity. The running time for this algorithm heavily depends on the source and target term order, whereas for FGLM it only depends on invariants of the ideal. Kalkbrenner gives degree bounds [24] that can be applied to the Gröbner Walk; these are very loose however. The best bound known a result about the growth of the degrees in each step; it can be shown to be at most quadratic. Estimating the global complexity for the Gröbner Walk seems to be a hard problem. 13

14 5 Conclusions We have demonstrated that Gröbner basis algorithms can be used to successfully mount key-recovery attacks on algebraically simple block ciphers with large block and key size, even when they are practically secure against differential and linear cryptanalysis. This can be accomplished with a minimal number of known plaintext/ciphertext pairs. Furthermore we have demonstrated that Gröbner bases for ciphers that follow our construction principle can be calculated by hand. These Gröbner bases are relative to a total-degree order instead of a lexicographical order and thus do not give the solution to the polynomial system directly. However, our contribution shows that the problem of recovering a key for these block ciphers can be reduced to a Gröbner basis conversion. By giving a closed formula for the vector space dimension of the ideal of all inversion-free ciphers considered we were able to estimate the complexity of a Gröbner basis conversion using the FGLM algorithm. This allowed us to determine more instances of Flurry and Curry ciphers that are vulnerable against Gröbner basis attacks. For the Gröbner Walk algorithm, it is an open problem to give bounds on its time and space complexity. 14

15 A Appendix Below we give upper bounds for the maximum differential and linear characteristic probability for selected Curry and Flurry ciphers. Since we have fixed the diffusion matrices in Section 2.3, the actual matrix to be used only depends on the parameter m. For space reasons this is not explicitly listed in the table. Table 4. MDCP for selected 128 bit Flurry ciphers Flurry k,f,m,r,d (64, f 1, 1) (32, f 1, 2) (16, f 1, 4) (k, f, m) (64, f 3, 1) (32, f 3, 2) (16, f 3, 4) (64, f 5, 1) (32, f 5, 2) (16, f 5, 4) (64, f 7, 1) (32, f 7, 2) (16, f 7, 4) p s r= < < 2 88 < 2 53 r= < < < 2 80 r= < < < Table 5. MLCP for selected 128 bit Flurry ciphers Flurry k,f,m,r,d (f 1, 1) (f 1, 2) (f 1, 4) (k, f, m) (f 3, 1) (f 3, 2) (f 3, 4) (f 5, 1) (f 5, 2) (f 5, 4) (f 7, 1) (f 7, 2) (f 7, 4) q s r= < < 2 80 < 2 43 r= < < < 2 64 r= < < < 2 97 Table 6. MDCP for selected 128 bit Curry ciphers Curry k,f,m,r,d (k, f, m) (32, f 1, 2) (8, f 1, 4) (32, f 7, 2) p s r= < r= < r= < Table 7. MLCP for selected 128 bit Curry ciphers Curry k,f,m,r,d (32, f 1, 2) (8, f 1, 4) (k, f, m) (32, f 2, 2) (8, f 2, 4) (32, f 7, 2) q s r= < r= < r= <

16 B Appendix Example 3. The following sequence of polynomials G is a Gröbner basis for a Flurry(32, 2, D 2, f 3, 4) w.r.t. the degree-reverse lexicographical order. Variables are ordered as follows: x 0 < x 1 < x 2 < x 3 < x 16 < x 17 < x 18 < x 19 < x 14 < x 15 < k 0 < k 1 < k 6 < k 7 < k 2 < k 3 < k 4 < k 5 < k 8 < k 9 < k 10 < k 11 < x 4 < x 5 < x 6 < x 7 < x 8 < x 9 < x 10 < x 11 < x 12 < x 13 G = { } plaintext: x 0 + θ 31 + θ 29 + θ 27 + θ 24 + θ 22 + θ 21 + θ 19 + θ 13 + θ 11 + θ 8 + θ 7 + θ 6 + θ 4 + θ x 1 + θ 31 + θ 30 + θ 29 + θ 22 + θ 21 + θ 15 + θ 14 + θ 11 + θ 10 + θ 7 + θ 6 + θ 5 + θ 3 + θ 2 + θ x 2 + θ 31 + θ 29 + θ 27 + θ 26 + θ 25 + θ 24 + θ 21 + θ 19 + θ 18 + θ 16 + θ 15 + θ 14 + θ 8 + θ 7 + θ 6 + θ 4 + θ + 1 x 3 + θ 27 + θ 26 + θ 24 + θ 22 + θ 21 + θ 20 + θ 18 + θ 17 + θ 15 + θ 13 + θ 11 + θ 9 + θ 6 + θ 4 + θ ciphertext: x 16 + θ 31 + θ 29 + θ 28 + θ 27 + θ 26 + θ 24 + θ 21 + θ 19 + θ 18 + θ 16 + θ 15 + θ 14 + θ 12 + θ x 17 + θ 28 + θ 26 + θ 24 + θ 21 + θ 20 + θ 18 + θ 16 + θ 13 + θ 10 + θ 9 + θ 8 + θ 6 + θ 5 + θ 3 + θ + 1 x 18 + θ 29 + θ 25 + θ 21 + θ 20 + θ 19 + θ 17 + θ 16 + θ 15 + θ 14 + θ 13 + θ 10 + θ 9 + θ 8 + θ 7 + θ 6 + θ 5 + θ 3 x 19 + θ 29 + θ 27 + θ 26 + θ 20 + θ 13 + θ 10 + θ 8 + θ 5 + θ 2 round 1: x 4 + x 2 x 5 + x 3 k k2 0 x 2 + k 0 x x3 2 + C 1x 7 + C 1 x 6 + C 1 x 1 + C 1 x 0 k k2 1 x 3 + k 1 x x3 3 + C 2x 7 + C 1 x 6 + C 2 x 1 + C 1 x 0 round 2: x 8 + x 6 x 9 + x 7 x x2 6 k 2 + x 6 k k3 2 + C 1x 11 + C 1 x 10 + C 1 x 5 + C 1 x 4 x x2 7 k 3 + x 7 k k3 3 + C 2x 11 + C 1 x 10 + C 2 x 5 + C 1 x 4 round 3: x 12 + x 10 x 13 + x 11 x x2 10 k 4 + x 10 k k3 4 + C 1x 9 + C 1 x 8 + C 1 k 9 + C 1 k 8 + C 1 x 15 + C 1 x 14 x x2 11 k 5 + x 11 k k3 5 + C 2x 9 + C 1 x 8 + C 2 k 9 + C 1 k 8 + C 2 x 15 + C 1 x 14 round 4: x 14 + x 16 x 15 + x 17 k k2 6 x 14 + k 6 x x C 1x 13 + C 1 x 12 + C 1 k 11 + C 1 k 10 + C 1 x 19 + C 1 x 18 k k2 7 x 15 + k 7 x x C 2x 13 + C 1 x 12 + C 2 k 11 + C 1 k 10 + C 2 x 19 + C 1 x 18 key expansion: k 11 + θ 2 k 7 + (θ 2 + θ + 1)k 1 + θk 0 + θ 4 + θ 2 k 10 + θ 2 k 6 + θk 1 + k 0 + θ 3 + θ k 9 + (θ 2 + θ)k 7 + (θ + 1)k 6 + θ 2 k 1 + (θ + 1)k 0 + θ 6 + θ 5 + θ k 8 + (θ + 1)k 7 + (θ + 1)k 6 + (θ + 1)k 1 + k 0 + θ 5 + θ 3 k 5 + (θ 2 + θ + 1)k 7 + θk 6 + θ 2 k 1 + (θ + 1)k 0 + θ 6 + θ 4 + θ 3 + θ k 4 + θk 7 + k 6 + (θ + 1)k 1 + k 0 + θ 5 + θ 4 + θ k 3 + θ 2 k 7 + (θ + 1)k 6 + (θ 2 + θ + 1)k 1 + θk 0 + θ 6 + θ 5 + θ 4 + θ k 2 + (θ + 1)k 7 + k 6 + θk 1 + k 0 + θ 5 + θ 2 + θ + 1 with C 1 = (θ + 1) 1 and C 2 = 1 + (θ + 1) 1 16

17 References 1. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In Zheng, Y., ed.: ASIACRYPT. Volume 2501 of Lecture Notes in Computer Science., Springer (2002) Murphy, S., Robshaw, M.J.: Essential Algebraic Structure within the AES. In Yung, M., ed.: CRYPTO. Volume 2442 of Lecture Notes in Computer Science., Springer (2002) pp Cid, C., Murphy, S., Robshaw, M.: Small Scale Variants of the AES. In: Fast Software Encryption, 12th International Workshop, FSE 2005, Paris, France, February 21-23, Lecture Notes in Computer Science, Springer (2005) 4. Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. [25] Nyberg, K.: Differentially Uniform Mappings for Cryptography. [26] Beth, T., Ding, C.: On Almost Perfect Nonlinear Permutations. [26] Dobbertin, H.: One-to-One Highly Nonlinear Power Functions on GF (2 n ). Applicable Algebra in Engineering, Communication and Computing 9 (1998) Cheon, J.H., Chee, S., Park, C.: S-boxes with Controllable Nonlinearity. In Stern, J., ed.: EUROCRYPT. Volume 1592 of Lecture Notes in Computer Science., Springer (1999) Daemen, J., Rijmen, V.: The Design of Rijndael: The Wide Trail Strategy. Springer-Verlag (2001) 10. Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In Menezes, A., Vanstone, S.A., eds.: CRYPTO. Volume 537 of Lecture Notes in Computer Science., Springer (1991) Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In Stinson, D.R., ed.: CRYPTO. Volume 773 of Lecture Notes in Computer Science., Springer (1994) Knudsen, L.R.: Practically Secure Feistel Ciphers. In Anderson, R.J., ed.: FSE. Volume 809 of Lecture Notes in Computer Science., Springer (1994) Kanda, M.: Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function. In Stinson, D.R., Tavares, S.E., eds.: Selected Areas in Cryptography. Volume 2012 of Lecture Notes in Computer Science., Springer (2001) Jakobsen, T., Knudsen, L.: The Interpolation Attack on Block Ciphers. [25] Becker, T., Weispfenning, V.: Gröbner Bases A Computational Approach to Commutative Algebra. Springer-Verlag (1991) 16. Cox, D.A., Little, J.B., O Shea, D.: Ideals, Varieties, and Algorithms. 2nd edn. Springer-Verlag, NY (1996) 536 pages. 17. Faugère, J.C., Gianni, P., Lazard, D., Mora, T.: Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering. Journal of Symbolic Computation 16 (1993) Collart, S., Kalkbrener, M., Mall, D.: Converting Bases with the Gröbner Walk. Journal of Symbolic Computation 24 (1997) Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC, ACM (2002) pp Faugère, J.C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Cryptosystems Using Gröbner Bases. In Boneh, D., ed.: CRYPTO. Volume 2729 of Lecture Notes in Computer Science., Springer (2003) pp Kaltofen, E., Shoup, V.: Subquadratic-time Factoring of Polynomials over Finite FIelds. Mathematics of Computation 67 (1998) University of Sydney Computational Algebra Group: The Magma Computational Algebra System (2004) Faugère, J.C.: A New Efficient Algorithm for Computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139 (1999) Aoki, K.: Efficient Evaluation of Security against Generalized Interpolation Attack. In Heys, H.M., Adams, C.M., eds.: Selected Areas in Cryptography. Volume 1758 of Lecture Notes in Computer Science., Springer (2000) Biham, E., ed.: Fast Software Encryption, 4th International Workshop, FSE 97, Haifa, Israel, January 20-22, 1997, Proceedings. In Biham, E., ed.: FSE. Volume 1267 of Lecture Notes in Computer Science., Springer (1997) 26. Helleseth, T., ed.: Advances in Cryptology - EUROCRYPT 93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings. In Helleseth, T., ed.: EUROCRYPT. Volume 765 of Lecture Notes in Computer Science., Springer (1994) 17